.NET Microservices authorization

Question

I am about to start a project that consists of several microservices and I was researching how can I implement authorization of each microservice. My architecture is the following: A web project that consists of an asp.net core site with angular 2. Each module (menu item and its submenus) will be communicating with a microservice (each microservice will have a database). Each microservice will have its own permissions. e.g MS1 will have CRUD Products, MS2 will have CRUD Orders etc.. My questions are:

1. As I mentioned above each microservice will have its own database (e.g MS1 will hold the products database, MS1 the order database etc..). What about the permissions? Where these are better to be stored?
2. A microservice should not share code with other microservices but I was thinking that the code that does the actual auth checking ( IsAlllowed(PermissionType) ) would be repeated in each microservice. This will cause code redundancy.

Answer 1

based on your explanation you have to take a look at identity server . which is based on oauth and oidc .ofcourse you mentioned that

no I am not saying credentials authentication is done using oauth. I am speaking about authorisation

in the comment but you have to consider it also consists of authorization and not only the authentication. in such scenario you have IdentityServer service and beside handling users authentication , services are refer to it to determine authentication and authorization (even sometimes you may have service to service authorization). in identity server the services are registered and configured policy of access to their endpoints.

Answer 2

Create a JWT authentication code in one relevant microservice, Store the token in the front end(as cookies or browser's local storage).When making a requests to secure end points(like any protected API routes) on the backend you can include JWT token in the request header, Like this:

axios.post(`http://localhost:12000/api/whateveryourURL`, payload, {
              headers:{
                "Authorization":`Bearer ${JSON.parse(sessionStorage.getItem("token")).jwtToken}`
               }
            })

So from based on what I understood from your question, I don't think you have to do same code multiple times in backend for authorization.

Answer 3

.NET Core now provides just enough infrastructure to implement auth into microservices. I have implemented some basic solution with .NET Core 3.0 and you can grab code from github: https://github.com/optiklab/actio_3.0

I can also update the code if you need some more examples. LMK

Answer 4

A microservice should not share functionality with other microservices. its a functional unit. If many of your services utilize the same code, there's nothing wrong with extending some common codebase into various different microservices. Even better - write all the common code in some library and have all of them include/import it.

I think you might be confusing code-level with microservices (a functional level).

Regarding the auth issue: As stated in the comment to the question, its not clear which authorization is discussed there. If you're referring to users of the microservices, it might make sense to have one auth-gateway to handle all incoming requests and then (once authorized, re-route the request to the actual service). In this sense, inside your cloud, no authorization would be required allowing easier inter-service communication. Only requests coming from the outside would need to authorize.

Or you could authorize in every service. this makes less sense to me, though. If you go with this approach, you could have the common code (authorization or anything else) as a library.